Week in review: SATCOM (in)security, Heartbleed fallout, and the security of programming languages

Posted on 22 April 2014.

Here's an overview of some of last week's most interesting news and articles:

Appeals court overturns AT&T hacker's sentence
Andrew "weev" Auernheimer, a hacker and member of Goatse Security, was sentenced to spend 41 months in prison for his role in the harvesting and publishing emails and AT&T authentication IDs of 114,000 early-adopters of Apple's iPad in 2010.

Identifying security innovation strategies
Tom Quillin is the Director of Cyber Security Technology and Initiatives at Intel Corporation. In this interview he talks about security innovation, current and future threats.

Whitepaper: Adapting security to the cloud
This whitepaper describes how adoption of cloud technology can potentially change an organization's security requirements and how organizations can adapt their IT and security infrastructure to address these challenges.

First phase of TrueCrypt audit finds no backdoors
Remember when late last year cryptographer Matthew Green and Kenneth White, Principal Scientist at Social & Scientific Systems, called for - and then organized - a crowdfunded, public security audit of TrueCrypt? Well, the results of the first phase of the audit have been published, and the news is good in regards to potential backdoors present in the code.

Heartbleed threatens mobile users
As time passes, it becomes more and more obvious that almost no-one is safe from the danger created by the existence of the OpenSSL Heartbleed bug.

Heartbleed should jumpstart important security changes
Taking a step back from the immediate frenzy of finding OpenSSL, and patching websites and network infrastructure to mitigate this security risk, itís pretty clear that we have a lot of work to do as a security community on numerous fronts.

Samsung Galaxy S5 fingerprint scanner can be tricked
Samsung's newly released Galaxy S5 phone sports a fingerprint scanner embedded in the home button that works well but unfortunately, like iPhone 5S' TouchID before it, can be tricked with a mould of the user's fingerprint.

Secure email service Lavaboom launches
Lavaboom, a German secure email service that aims to provide users with the most secure email account they will ever own (their words), will go into private beta around Easter.

Student arrested for Heartbleed-exploiting tax agency breach
A 19-year-old Canadian student has been arrested for breaching the systems of the Canada Revenue Agency (CRA) and extracting Social Insurance Numbers of some 900 taxpayers. It is believed that he was able to do so by exploiting the infamous Heartbleed bug.

The dismal state of SATCOM security
Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired, says Ruben Santamarta, principal security consultant with IOActive. The list of security weaknesses he and his colleagues found while analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals does not include only design flaws, but also features that could be of use to attackers.

Compliance is no guarantee of security
While there is nothing wrong with the PCI DSS standard as a set of controls, it is little more than the basic minimum that an organisation should set out to achieve. It should not be a replacement for solid Business-as-Usual (BAU) security practices.

3M payment cards compromised in Michaels Stores/Aaron Brothers breach
"After weeks of analysis, the company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms," the company stated in the press release.

Beware of clever phishing scam that bypasses Steam Guard
Malwarebytes' Chris Boyd is warning owners of Steam accounts about a relatively new phishing approach that goes after both their account login credentials and a file that allows them to bypass the entering of the Steam Guard verification code.

Spotlight

Microsoft Edge, the new browser in Windows 10, represents a significant increase in the security over Internet Explorer. However, there are also new potential threat vectors that arenít present in older versions.

35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right. This illustrates the growing importance for organizations to deploy data loss prevention strategies.

Sun Tzu's writings have been studied throughout the ages by professional militaries and can used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.